Re: [wildfly-dev] Read Elytron security domain from Undertow's ApplicationSecurityDomainService

Thanks Darran. I uploaded the war deployment and reproduce steps readme to https://github.com/jimma/elytron-null-securitydomain. Let me know if this helps to debug why the SecurityDomain is not associated. On Thu, Apr 2, 2020 at 12:33 AM Darran Lofthouse < darran.lofthouse(a)jboss.com&gt; wrote: > TBH Jim, I think I would need to dig into the code with a debugger to > double check what is happening there. > > SecurityDomain.getCurrent() will return null when no SecurityDomain is > associated with the deployment, the DeploymentUnitProcessor added for the > Elytron integration essentially checks what SecurityDomain name Undertow > was going to use and then checks if it should swap in an Elytron > SecurityDomain instead. > > If SecurityDomain association is being skipped due to the lack of a > security-constraint we should probably revisit that as there are plenty of > scenarios where association of a SecurityDomain would make sense even if > the constraints are not defined in the web.xml. > > > On Wed, Apr 1, 2020 at 11:29 AM Jim Ma <ema(a)redhat.com&gt; wrote: > >> Hi Darran, >> >> The SecurityDomain.getCurrent() returns null when there is "other" >> security domain in jboss-web.xml and no “security-constraint” defined >> in web.xml like: >> >> -------------jboss-web.xml--------------------- >> <jboss-web> >> <security-domain>other</security-domain> >> </jboss-web> >> --------------web.xml------------------------------ >> <web-app >> version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee >> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> >> <servlet> >> <servlet-name>TestService</servlet-name> >> >> <servlet-class>org.jboss.test.ws.jaxws.samples.wsse.policy.jaas.ServiceImpl</servlet-class> >> </servlet> >> <servlet-mapping> >> <servlet-name>TestService</servlet-name> >> <url-pattern>/*</url-pattern> >> </servlet-mapping> >> </web-app> >> >> Does this mean Elytron security domain mapped by undertow "other" >> application domain only is enforced/set for web deployment which contains < >> security-constraint>deployment descriptor ? >> When does SecurityDomain.getCurrent() return null value ? >> >> Thanks, >> Jim >> >> On Mon, Mar 16, 2020 at 6:35 PM Darran Lofthouse < >> darran.lofthouse(a)jboss.com&gt; wrote: >> >>> Yes there should be no difference at runtime, if we identified the >>> Elytron domain via the default security domain it should still be >>> associated with the deployment in the same way. >>> >>> On Mon, Mar 16, 2020 at 10:33 AM Jim Ma <ema(a)redhat.com&gt; wrote: >>> >>>> Will this work for Undertow default "other" application security >>>> domain's reference Elytron SecurityDomain ? >>>> >>>> On Mon, Mar 16, 2020 at 6:26 PM Darran Lofthouse < >>>> darran.lofthouse(a)jboss.com&gt; wrote: >>>> >>>>> Overall it is the SecurityDomain.getCurrent method you need: - >>>>> >>>>> >>>>> https://wildfly-security.github.io/wildfly-elytron/master-public/org/wild... >>>>> >>>>> If a SecurityDomain is associated with the Thread's context class >>>>> loader it will be returned. >>>>> >>>>> On Mon, Mar 16, 2020 at 10:22 AM Jim Ma <ema(a)redhat.com&gt; wrote: >>>>> >>>>>> >>>>>> >>>>>> On Mon, Mar 16, 2020 at 6:07 PM Darran Lofthouse < >>>>>> darran.lofthouse(a)jboss.com&gt; wrote: >>>>>> >>>>>>> I don't know if it will help but the SecurityDomain is associated >>>>>>> with the ClassLoader of the deployment, not sure if that could be an >>>>>>> alternative way for WS to access it. >>>>>>> >>>>>>> I'll try it . Can you please point me some code example or test >>>>>> code? >>>>>> >>>>>> >>>>>>> The thing that is complicating it for now is the dual mode with >>>>>>> PicketBox, once we remove PicketBox a deployment will either have an >>>>>>> Elytron SecurityDomain or it will not. >>>>>>> >>>>>> Yes. Now webservice has to add many PicketBox or Elytron checks to >>>>>> do following actions. We wrap this as much as possible with spi >>>>>> interface. >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>>> On Fri, Mar 13, 2020 at 8:20 AM Jim Ma <ema(a)redhat.com&gt; wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Mar 12, 2020 at 8:12 PM Darran Lofthouse < >>>>>>>> darran.lofthouse(a)jboss.com&gt; wrote: >>>>>>>> >>>>>>>>> Is it possible to identify the revelevent >>>>>>>>> DeploymentUnitProcessors in this process along with their phase and >>>>>>>>> priority so we can check the ordering. >>>>>>>>> >>>>>>>> >>>>>>>> The "other"'s mapped Elytron security domain service is >>>>>>>> required to read in EndpointServiceDeploymentAspect. It's installed >>>>>>>> in Phase.INSTALL, Phase.INSTALL_WS_DEPLOYMENT_ASPECTS priority. It's >>>>>>>> running before UndertowDeploymentProcessor >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> What may be more appropriate is for the Undertow DUP to attach >>>>>>>>> something which identifies the SecurityDomain instead of the web services >>>>>>>>> DUP relying on internal API / repeating the same checks already performed >>>>>>>>> within Undertow. >>>>>>>>> >>>>>>>>> In the future we will be removing all of the application security >>>>>>>>> domain resources so coordinating using attachments will hopefully also >>>>>>>>> future proof any fix. >>>>>>>>> >>>>>>>> >>>>>>>> It looks this attachment should be set in some Undertow DUP >>>>>>>> before UndertowDeploymentProcessor. WebService needs a Securitycontext to >>>>>>>> call the ejb ws endpoint method or webservice endpoint method : >>>>>>>> >>>>>>>> https://github.com/wildfly/wildfly/blob/master/webservices/server-integra... >>>>>>>> Is there better api/approach to perform this kind of method >>>>>>>> invocation ? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Jim >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Darran Lofthouse. >>>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, Mar 12, 2020 at 11:45 AM Jim Ma <ema(a)redhat.com&gt; wrote: >>>>>>>>> >>>>>>>>>> There is ws deployment failure issue[1] which is caused by >>>>>>>>>> Webservice subsystem doesn't correctly get mapped elytron security domain >>>>>>>>>> from web deployment's default "other" >>>>>>>>>> application security domain. I tried to fix this by reading >>>>>>>>>> Elytron security domain from Undertow started services, but it looks now >>>>>>>>>> ApplicationSecurityDomainService is private static and it doesn't provide a >>>>>>>>>> getter which allows to get Elytron security domain. Webservice subsystem >>>>>>>>>> requires an Undertow service like ApplicationSecurityDomainService[2] >>>>>>>>>> started by EJB subsystem to read the Elytron security domain. Is it doable >>>>>>>>>> to change Undertow's ApplicationSecurityDomainService to provide mapped >>>>>>>>>> security domain ? Or any better approach to get the mapped Elytron domain ? >>>>>>>>>> >>>>>>>>>> [1]https://issues.redhat.com/browse/WFLY-12765 >>>>>>>>>> [2] >>>>>>>>>> https://github.com/wildfly/wildfly/blob/master/ejb3/src/main/java/org/jbo... >>>>>>>>>> >>>>>>>>>> Cheers, >>>>>>>>>> Jim >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> wildfly-dev mailing list >>>>>>>>>> wildfly-dev(a)lists.jboss.org >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/wildfly-dev >>>>>>>>> >>>>>>>>>